Re: gentoo diff for snmpd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: petre rodan <kaiowas@gentoo.org>
To: jwcart2@epoch.ncsc.mil
Cc: SELinux <selinux@tycho.nsa.gov>, Chris PeBenito <pebenito@gentoo.org>
Subject: Re: gentoo diff for snmpd
Date: Fri, 19 Nov 2004 15:41:25 +0200	[thread overview]
Message-ID: <419DF805.80002@gentoo.org> (raw)
In-Reply-To: <1100808061.26930.18.camel@moss-lions.epoch.ncsc.mil>


[-- Attachment #1.1: Type: text/plain, Size: 475 bytes --]


Hi James,

James Carter wrote:
> Merged.
> 
> Oops, there is no proc_net_t defined.
> Petre, could you send me the proc_net_t stuff as well.

please see the attachment.

> On Mon, 2004-11-15 at 11:20, petre rodan wrote:
> 
>>Hi,
>>
>>gentoo as a special context for /proc/net:
>>genfscon proc /net  system_u:object_r:proc_net_t
>>
>>so a small diff is needed for the snmpd policy. attached.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: proc_net_t.diff --]
[-- Type: text/plain, Size: 4668 bytes --]

Index: policy/genfs_contexts
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/genfs_contexts,v
retrieving revision 1.16
diff -u -B -r1.16 genfs_contexts
--- policy/genfs_contexts	8 Oct 2004 17:56:47 -0000	1.16
+++ policy/genfs_contexts	19 Nov 2004 13:31:04 -0000
@@ -36,6 +36,7 @@
 genfscon proc /kcore			system_u:object_r:proc_kcore_t
 genfscon proc /mdstat			system_u:object_r:proc_mdstat_t
 genfscon proc /mtrr			system_u:object_r:mtrr_device_t
+genfscon proc /net			system_u:object_r:proc_net_t
 genfscon proc /sysvipc			system_u:object_r:proc_t
 genfscon proc /sys			system_u:object_r:sysctl_t
 genfscon proc /sys/kernel		system_u:object_r:sysctl_kernel_t
Index: policy/domains/program/ifconfig.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/ifconfig.te,v
retrieving revision 1.9
diff -u -B -r1.9 ifconfig.te
--- policy/domains/program/ifconfig.te	10 Sep 2004 14:45:48 -0000	1.9
+++ policy/domains/program/ifconfig.te	19 Nov 2004 13:31:04 -0000
@@ -38,8 +38,8 @@
 allow ifconfig_t { kernel_t init_t }:fd use;
 
 # Access /proc
-allow ifconfig_t proc_t:dir r_dir_perms;
-allow ifconfig_t proc_t:file r_file_perms;
+allow ifconfig_t { proc_t proc_net_t }:dir r_dir_perms;
+allow ifconfig_t { proc_t proc_net_t }:file r_file_perms;
 
 allow ifconfig_t privfd:fd use;
 allow ifconfig_t run_init_t:fd use;
Index: policy/domains/program/unused/iptables.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/unused/iptables.te,v
retrieving revision 1.13
diff -u -B -r1.13 iptables.te
--- policy/domains/program/unused/iptables.te	8 Nov 2004 20:57:04 -0000	1.13
+++ policy/domains/program/unused/iptables.te	19 Nov 2004 13:31:04 -0000
@@ -54,6 +54,8 @@
 ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
 
 allow iptables_t proc_t:file { getattr read };
+allow iptables_t proc_net_t:dir { search };
+allow iptables_t proc_net_t:file { read getattr };
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file append;
Index: policy/domains/program/unused/rpcd.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/domains/program/unused/rpcd.te,v
retrieving revision 1.26
diff -u -B -r1.26 rpcd.te
--- policy/domains/program/unused/rpcd.te	8 Nov 2004 20:57:04 -0000	1.26
+++ policy/domains/program/unused/rpcd.te	19 Nov 2004 13:31:04 -0000
@@ -71,6 +71,7 @@
 
 # for /proc/fs/nfs/exports - should we have a new type?
 allow nfsd_t proc_t:file r_file_perms;
+allow nfsd_t proc_net_t:dir search;
 allow nfsd_t exports_t:file { getattr read };
 
 allow nfsd_t nfsd_fs_t:filesystem mount;
Index: policy/macros/global_macros.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/macros/global_macros.te,v
retrieving revision 1.46
diff -u -B -r1.46 global_macros.te
--- policy/macros/global_macros.te	17 Nov 2004 19:51:54 -0000	1.46
+++ policy/macros/global_macros.te	19 Nov 2004 13:31:05 -0000
@@ -214,6 +214,8 @@
 # Read system information files in /proc.
 allow $1 proc_t:dir r_dir_perms;
 allow $1 proc_t:notdevfile_class_set r_file_perms;
+allow $1 proc_net_t:dir r_dir_perms;
+allow $1 proc_net_t:file r_file_perms;
 allow $1 proc_mdstat_t:file r_file_perms;
 
 # Stat /proc/kmsg and /proc/kcore.
Index: policy/macros/program/vmware_macros.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/macros/program/vmware_macros.te,v
retrieving revision 1.3
diff -u -B -r1.3 vmware_macros.te
--- policy/macros/program/vmware_macros.te	17 Nov 2004 19:51:55 -0000	1.3
+++ policy/macros/program/vmware_macros.te	19 Nov 2004 13:31:05 -0000
@@ -55,6 +55,8 @@
 
 # Access /proc
 r_dir_file($1_vmware_t, proc_t)
+allow $1_vmware_t proc_net_t:dir search;
+allow $1_vmware_t proc_net_t:file { getattr read };
 
 # Access to some files in the user home directory
 r_dir_file($1_vmware_t, $1_home_t)
Index: policy/types/procfs.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/types/procfs.te,v
retrieving revision 1.7
diff -u -B -r1.7 procfs.te
--- policy/types/procfs.te	22 Sep 2004 20:19:14 -0000	1.7
+++ policy/types/procfs.te	19 Nov 2004 13:31:05 -0000
@@ -17,6 +17,7 @@
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;
+type proc_net_t, proc_fs;
 
 #
 # sysctl_t is the type of /proc/sys.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

next prev parent reply	other threads:[~2004-11-19 13:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-11-15 16:20 gentoo diff for snmpd petre rodan
2004-11-16  8:16 ` Thomas Bleher
2004-11-16  9:27   ` petre rodan
2004-11-18 20:01 ` James Carter
2004-11-19 13:41   ` petre rodan [this message]
2004-11-19 19:50     ` James Carter
2004-11-21  5:08       ` Daniel J Walsh
2004-11-22 13:22         ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=419DF805.80002@gentoo.org \
    --to=kaiowas@gentoo.org \
    --cc=jwcart2@epoch.ncsc.mil \
    --cc=pebenito@gentoo.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.